I'm having some trouble with getting the Order directive right in a vhost configuration in Apache.

I have some IP addresses that I want to totally deny access to the entire vhost. These have been previously flagged as malicious.
I also want to deny all requests apart from GET and HEAD from all IP addresses, apart from our internal IP range.

I'm having trouble with the first Directory directive and figuring out how is best to arrange it with the Order directive.

This is what I've got so far and it doesn't appear to work so I'd like to get some advice on how is best to order this block...

Place that in your <Virtualhost> outside and </Directory> containers. Should the list of IPs be large or volatile you can also use RewriteMap and a variation on the above to keep IPs in a separate file as a more scalable solution.